Written by :
Victoria J. Cvitanovic, Deutsch Kerrigan, LLP and
Dominik J. Cvitanovic, Brettner Cvitanovic, LLC
COVID-19 has impacted the data privacy/cyber security arena as much, if not more, than any other area of the law. The number of people working remotely has boomed due to non-essential business employers being ordered to allow their employees to work from home, executive orders restricting gathering size, and CDC guidance encouraging social distancing. This presents significant concerns to businesses without a large online distributed presence or regular remote working before COVID-19.
Businesses’ servers are being pushed to the limit to see if they can withstand much higher levels of traffic. Employee meetings are now taking place on Zoom or Google Hangout rather than a conference room, and these video streams are taking on more and more employer bandwidth. Slowdowns can result in frustrated employees bypassing common security protections, such as only viewing a confidential document through a remote desktop, to maintain their workflow and complete tasks. It is essential that businesses invest in making sure their servers are up to the task of handling remote work efficiently.
Employees are also using personal devices for work at unprecedented rates. Personal device use can open up businesses to potential threats, especially if employees have not been provided with and/or warned to use Virtual Private Networks (“VPNs”). VPNs allow users to share data on public networks as if the devices were directly connected to a private network. Also, employees should be encouraged to keep their devices updated. Those updates users ignore are often are patches designed to fix a security flaw that was recently discovered. The longer users ignore that red number over Settings, the longer devices are exposed to those threats.
Some businesses built their data integrity infrastructure on the assumption that most business would flow through the local private network at their place of business. With so many employees working out of the office, that assumption may no longer be accurate. The assumption that employees would be using a local private network can result in security blind spots when employees who are usually in the office begin working from home. For example, companies that do allow employees to remotely access work computers must take precautions. Employers should disable the ability to send data between their employees’ virtual desktop and the machine connected still connected at the office. Otherwise, threats from employee personal devices could use the same connection to access work computers and servers.
Due to the number of cybersecurity concerns raised by working from home during COVID-19, employers should refresh employees on their company’s employment information security policies, cybersecurity best practices, bring-your-own-device policies governing employees’ personal devices, and/or cyber incident response plans. These policies will include recommendations to employees on company password best practices, device security requirements, and instructions not to click on blind links. If your business doesn’t have any of those, it may be time to consult with a cybersecurity attorney.